CyberSecurity News

FortiOS Vulnerability Allows LDAP Authentication Bypass

Fortinet has revealed a high-severity authentication bypass vulnerability within its FortiOS operating system. Identified as CVE-2026-22153 (FG-IR-25-1052), this flaw enables unauthenticated...

David kimber
David kimber
February 10, 2026 2 Min Read
5 0

Fortinet has revealed a high-severity authentication bypass vulnerability within its FortiOS operating system. Identified as CVE-2026-22153 (FG-IR-25-1052), this flaw enables unauthenticated attackers to bypass LDAP authentication for Agentless VPN or Fortinet Single Sign-On (FSSO) policies.

Classified under CWE-305 (Authentication Bypass by Primary Weakness), the flaw resides in the fnbamd daemon and requires specific LDAP server configurations enabling unauthenticated binds.

The issue stems from improper handling of LDAP authentication requests. An attacker could exploit this under certain setups, such as those permitting anonymous binds, to gain unauthorized access without valid credentials.

Fortinet rates it High severity with a CVSS v3.1, highlighting network accessibility but moderate attack complexity. Impacts include improper access control, potentially leading to unauthorized entry into protected networks via SSL-VPN components.

Affected Versions and Fixes

Only FortiOS 7.6.0 through 7.6.4 are vulnerable. Other branches like 8.0, 7.4, 7.2, 7.0, and 6.4 remain unaffected. Administrators should upgrade to FortiOS 7.6.5 or later, following the official upgrade path tool.

FortiOS Version Affected Sub-versions Solution
8.0 Not affected N/A
7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above
7.4 Not affected N/A
7.2 Not affected N/A
7.0 Not affected N/A
6.4 Not affected N/A

As a workaround, disable unauthenticated binds on the LDAP server. For Windows Active Directory (Server 2019+), use this PowerShell snippet:

text$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}

Discovered by Jort Geurts of the Actemium Cyber Security Team via responsible disclosure, the advisory was published today. Fortinet urges immediate patching for exposed SSL-VPN deployments to mitigate risks in enterprise environments reliant on LDAP integration.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts